Smart Card Alliance responds to passport card and EDL hack

Feb 11, 2009
Source: XOD

Recent headlines have confused U.S.
electronic passports -- the passport books with the blue cover and the
small gold e-passport icon -- with the new U.S. Passport Cards and Enhanced
Driver's Licenses (EDL) already being issued as border crossing credentials
by some states.

The confusion came in media reporting about security researcher Chris
Paget, who demonstrated the ease of scanning, cloning and
tracking RFID-based U.S. Passport Cards and Enhanced Driver's Licenses
(EDL) in a YouTube video.

"The Smart Card Alliance wants to make it clear that this demonstration did
not involve the blue U.S. electronic passport books," said Randy
Vanderhoof, executive director of the Smart Card Alliance. "Headlines
stating that passports can be scanned and tracked are wrong. The widely
reported demonstration involved U.S. Passport Cards and Enhanced Driver's
Licenses, which use EPC Gen 2 RFID technology. These are different travel
documents and use completely different technologies from U.S. electronic
passports, which use contactless smart card technology and are very privacy
secure."

Call for Review

With the coming of the new administration, the Smart Card Alliance
recommends an immediate review of the decision to use EPC Gen 2 RFID
technology in U.S. travel documents. The Alliance is prepared to endorse
the correct use of any technology that provides adequate protection of
privacy and identity information. However, as the U.S. Passport Card and
EDL programs were being defined, the Smart Card Alliance went on record advising against
using an insecure EPC Gen 2 RFID solution that put the privacy and
security of U.S. citizens' personal information at risk.

The Alliance Identity Council, whose members include technology providers
of both RFID and RF-enabled contactless smart card solutions, stands ready
to assist any government agency or department that undertakes such a
review. The Alliance provides a cross-industry forum that can offer expert
advice on how to best meet the needs of high security and throughput at
border crossings without compromising the privacy of citizens' personal
information or their safety.

Paget will present his findings on scanning RFID-based U.S. Passport Cards
in a session titled "EDL Cloning for $250" at the Shmoocon technical
conference in Washington D.C., on Sunday, Feb. 8th.

About Passport Cards, EDLs and EPC Gen 2 RFID Technology

Passport Cards are new, State Department-issued travel documents valid
primarily for crossing land borders with Canada and Mexico. They were
designed to provide a less expensive and more portable alternative to the
traditional blue passport book. Some border states are issuing or planning
to issue special driver's licenses, called Enhanced Driver's Licenses
(EDL), that are also valid for crossing land borders. The State Department
has issued nearly 700,000 passport cards to U.S. citizens in advance of
tougher border crossing rules that take effect June 1, 2009. Washington
State has issued more than 10,000 EDLs, primarily to frequent visitors to
nearby Vancouver, British Columbia.

The Passport Cards and EDLs that were the subject of this scanning
demonstration use long range, insecure, EPC Gen 2 RFID tags, which lack
encryption and authentication. It is not surprising this researcher could
remotely read Passport Cards, because the RFID tag technology used in them
was actually designed for tracking objects at long distances and is used
mostly in manufacturing and shipping. These RFID tags have minimal
built-in support for security and privacy and, for that reason, the State
Department issues Passport Cards with protective sleeves to prevent them
from being read when not in use.

About Electronic Passports and Contactless Smart Card Technology

In sharp contrast, the blue U.S. electronic passport books use RF-enabled
contactless smart card technology. This is a completely different
technology that includes a small computer inside the e-passport book. The
U.S. e-passport is not vulnerable to the remote reading attack demonstrated
on RFID-based Passport Cards and EDLs. A small gold chip icon on the book
cover indicates an electronic passport.

U.S. electronic passports are very privacy-secure. A metallic shield in
the cover prevents any information from being read when the book is closed.
Further, it has a short read range of two inches and the chip won't give up
any information until the passport book is physically opened and a unique
key that is printed inside the passport is optically scanned and sent to
the chip. The U.S.
Department of State calls this e-passport security Basic Access
Control.

Contactless smart cards are designed for high security applications and are
used in tens of millions of identity credentials and payment cards
worldwide.

About the Smart Card Alliance

The Smart Card Alliance is a not-for-profit, multi-industry association
working to stimulate the understanding, adoption, use and widespread
application of smart card technology. Through specific projects such as
education programs, market research, advocacy, industry relations and open
forums, the Alliance keeps its members connected to industry leaders and
innovative thought. The Alliance is the single industry voice for smart
cards, leading industry discussion on the impact and value of smart cards
in the U.S. and Latin America. For more information please visit
smartcardalliance.org.